Changelog:
pcsc-lite-1.5.3: Ludovic Rousseau
- SCardEstablishContext(): check we do not reuse an already allocated
hContext
Thanks to Daniel Nobs for the bug report and patch
- pcsclite.h: add missing SCARD_E_* and SCARD_W_* return code. They are
unused by pcsc-lite but defined on Windows
- reader.h: add PIN_PROPERTIES_STRUCTURE structure and
FEATURE_IFD_PIN_PROPERTIES
Thanks to Martin Paljak for the patch
- remove powermgt_macosx.c since it is using APSL version 1.1 instead of
the BSD-like licence like the other files
Thanks to Stanislav Brabec for the bug report
- avoid a possible crash due to a race condition
Thanks to Matheus Ribeiro for the patch
- change default log level from PCSC_LOG_INFO to PCSC_LOG_ERROR to limit
syslog pollution
- CardDisconnect(): call RFUnlockAllSharing() instead of
RFUnlockSharing() to release all nested locks. The problem occurs if
SCardBeginTransaction() are made without corresponding
SCardEndTransaction(). OpenSC "pkcs11-tool -I" exhibits such a
behavior.
Thanks to Marc Rios Valles for the bug report
- some other minor improvements and bug corrections
Packages Collection.
The netpgp command can digitally sign files and verify that the
signatures attached to files were signed by a given user identifier.
netpgp can also encrypt files using the public or private keys of
users and, in the same manner, decrypt files which were encrypted.
The netpgp utility can also be used to generate a new key-pair for a
user. This key is in two parts, the public key (which can be used by
other people) and a private key.
In addition to these primary uses, the third way of using netpgp is to
maintain keyrings. Keyrings are collections of public keys belonging
to other users. By using other means of identification, it is
possible to establish the bona fides of other users. Once trust has
been established, the public key of the other user will be signed.
The other user's public key can be added to our keyring. The other
user will add our public key to their keyring.
This software is built on top of openpgpsdk 0.9.1, but provides a
higher-level interface, is autoconf-ed and libtool-ed, and has had
some significant bugs fixed.
* Version 2.6.5 (released 2009-04-11)
** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.
** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
Libtasn1 0.3.4 or later is required. This is to align with the
upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.
** API and ABI modifications:
No changes since last version.
Version 2.1 (released 2009-04-17)
- Fix compilation failure on platforms that can't generate empty archives,
e.g., Mac OS X. Reported by David Reiser <dbreiser@gmail.com>.
Version 2.0 (released 2009-04-13)
- Optimized tree generation.
- ASN1 parser code re-generated using Bison 2.4.1.
- Build with more warning flags. Many compiler warnings fixed.
- Compiled with -fvisibility=hidden by default if supported.
See http://gcc.gnu.org/wiki/Visibility
- The libtasn1-config tool has been removed.
For application developers, please stop using libtasn1-config for
finding libtasn1, use proper autoconf checks or pkg-config instead.
For users that need a libtasn1 that provides a libtasn1-config
script (for use with older applications), use libtasn1 v1.x instead.
Version 1.x is still supported.
changes:
-DBus now automatically starts the gnome-keyring service properly
-Initialize daemon with LOGNAME and USERNAME environment variables
-Add DBus method for getting the gnome-keyring environment variables
-misc fixes
- updating package to 1.24
Upstream changes:
v1.24 2009.04.01
- add verify hostname scheme ftp, same as http
- renew test certificates again (root CA expired, now valid for 10 years)
- removed packages p5-IO-Compress-Base, p5-IO-Compress-Zlib,
p5-IO-Compress-Bzip2 and p5-Compress-Zlib because they are
merged into p5-IO-Compress
- Updated dependend packages to depend on p5-IO-Compress
and bump PKGREVISION
Upstream changes:
2.017 30 March 2009
* Merged IO-Compress-Base, IO-Compress-Bzip2, IO-Compress-Zlib &
Compress-Zlib into IO-Compress.
* The interface to Compress-Raw-Zlib now uses the new LimitOutput
feature. This will make all of the zlib-related IO-Compress modules
less greedy in their memory consumption.
* Removed MAN3PODS from Makefile.PL
* A few changes to get the test harness to work on VMS courtesy of
Craig. A. Berry.
* IO::Compress::Base & IO::Uncompress::Base
Downgraded some croaks in the constructors to just set $! (by letting
the code attempt to open a file and fail).
This makes the behavior more consistent to a standard open.
[RT #42657]
* IO::Uncompress::Base
Doing a seek with MultiStream could drop some of the uncompressed
data. Fixed.
* IO::Compress::Zip
- Fixed problem with the uncompressed & uncompressed fields when
zip64 is enabled. They were set to 0x0000FFFF instead of
0xFFFFFFFF. Also the ZIP64 extra field was 4 bytes short.
Problem spotted by Dino Chiesa.
* IO::Uncompress::Unzip
- use POSIX::mktime instead of Time::Local::timelocal to convert
the zip DOS time field into Unix time.
* Compress::Zlib
- Documented Compress::Zlib::zlib_version()
From distribution NEWS file:
Many fixes and improvements to the ID-WSF 1 support, new API to load SSL keys
off memory, documentation for ID-WSF methods, general robustness and memory
leak fixes.
- Added a "lookaside" mode to cvm-qmail, to assist with proper chaining
to cvm-vmailmgr or other modules.
- Fixed failure in cvm-qmail when virtualdomains did not exist.
- Fixed client.h symlink to point to v2client.h to match the library.
- Fixed cvm-vmailmgr to fail with OUTOFSCOPE=1 when the virtual password
table file does not exist, instead of failing with an I/O error.
This should improve its ability to chain with other modules.
- Added cvm-sqlite from Wayne Marshall
Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
*) Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If sizeof(void *) > sizeof(long) this can result in
zeroing past the valid field. (CVE-2009-0789)
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
*) Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
a legal length. (CVE-2009-0590)
*) Set S/MIME signing as the default purpose rather than setting it
unconditionally. This allows applications to override it at the store
level.
*) Permit restricted recursion of ASN1 strings. This is needed in practice
to handle some structures.
*) Improve efficiency of mem_gets: don't search whole buffer each time
for a '\n'
*) New -hex option for openssl rand.
*) Print out UTF8String and NumericString when parsing ASN1.
*) Support NumericString type for name components.
*) Allow CC in the environment to override the automatically chosen
compiler. Note that nothing is done to ensure flags work with the
chosen compiler.
mk/dlopen.buildlink3.mk until very late in the proceedings. Fixes build on
Linux. No PKGREVISION bump required, no functional change on platforms where
the build completed.
Addresses PR pkg/41080.
Ok'd by wiz@
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
1.3.10:
- add support for MSI StarReader SMART, Noname reader (from
Omnikey), Xiring Xi Sign PKI, Realtek 43 in 1 + Sim + Smart Card
Reader, Atmel AT98SC032CT, Aktiv Rutoken Magistra, TianYu CCID
SmartKey, Precise Biometrics 200 MC and 250 MC
- add a patch to support the bogus OpenPGP card (on board key
generation sometimes timed out)
- disable support of the contactless part of SDI010 and SCR331DI
(this code was reverse engineered and hard to maintain)
- some minor bugs removed
1.3.9:
- add support for Aladdin eToken PRO USB 72K Java, Cherry
SmartTerminal ST-1200USB, Atmel AT91SO, SpringCard Prox'N'Roll,
CSB6 Basic, EasyFinger Ultimate, CSB6 Ultimate, EasyFinger
Standard, CrazyWriter, CSB6 Secure, KONA USB SmartCard, HP MFP
Smart Card Reader, ACS ACR122U PICC, Gemalto PDT, VMware Virtual
USB CCID
- MacOSX/configure: do not overwrite PCSC_CFLAGS, PCSC_LIBS,
LIBUSB_CFLAGS and LIBUSB_LIBS if already defined by the user
- by default, link statically against libusb on Mac OS X
- IFDHPowerICC(): use a very long timeout for PowerUp since the card
can be very slow to send the full ATR (up to 30 seconds at 4 MHz)
- SecurePINVerify(): correct a bug when using a Case 1 APDU and a
SCM SPR532 reader
- log the reader name instead of just the pcscd Lun
- some minor bugs removed
pcsc-lite-1.5.2:
- SCardGetStatusChange(): return if the state of the reader changed
since the previous call. Thanks to Thomas Harning for the patch
- SCardCancel() no works as expected. It got broken in version 1.5.0.
Closes: [#311342] SCardCancel does not cancel an outstanding
SCardGetStatusChange
- log TxBuffer and RxBuffer if the SCardControl() command failed.
Closes: [#311376] PCSC_LOG_VERBOSE via -dd; print details of "Card not
transacted"
- add a mutex to avoid a race condition
Closes: [#311377] Race condition in SCardBeginTransaction
- SCardGetStatusChange() may not return if the reader was removed.
- some other minor improvements and bug corrections
pcsc-lite-1.5.1:
- Extended APDU of more than 2048 bytes were corrupted. The problem was
introduced in version 1.3.3 (2 years ago) by making the code compile
with Sun Studio 11.
Thanks to Eric Mounier for the patch
- some other minor improvements and bug corrections
pcsc-lite-1.5.0:
- correctly handle up to PCSCLITE_MAX_READERS_CONTEXTS readers (instead
of PCSCLITE_MAX_READERS_CONTEXTS-1)
- SCardGetStatusChange()
. now returns SCARD_E_TIMEOUT instead of SCARD_S_SUCCESS if dwTimeout
== 0 (conform to Windows XP)
. add support of reader name \\?PnP?\Notification to detect reader
insertion/removal (conform to Windows XP)
. if a reader disappear also set SCARD_STATE_UNAVAILABLE in
dwEventState (more conform to Windows XP)
- SCardStatus(): add support of SCARD_AUTOALLOCATE for pcchReaderLen and
pcbAtrLen
- SCardGetStatusChange() now uses asynchronous events instead of polling
- more and/or better Doxygen documentation
- SCardTransmit(): correctly pass the pioRecvPci parameter
- SCardConnect() and SCardReconnect(): correct a bug when two
applications were calling SCardConnect() or SCardReconnect() at the
exact same time
- pcscd logs the command name sent by the application (when in debug mode)
- some other minor improvements and bug corrections
pkgsrc changes:
* add net/avahi dependency to enable key sharing support
Changes between 2.24.0 and 2.26.0:
==================================
* Searching by key identifiers now shows results.
* Disable interactive tree search in key manager.
* Add libcryptui documentation.
* Remove use of GTK+ deprecated symbols.
* Allow creation and deletion of keyrings from main GUI.
* Only autostart seahorse-daemon when key sharing is enabled.
* seahorse-daemon registers with session manager properly.
* Remove bits of libcryptui that are now handled by the gcr library
from gnome-keyring.
* Tons of other fixes and changes.
Changes between 2.24.0 and 2.26.0:
==================================
* Refactor PKI code to make it modular, loosely coupled and easier
to hack and test.
* Add standard widgets for display of certificates.
* If login keyring doesn't exist when changing a PAM password,
don't create it automatically.
* Overhaul the secure memory allocator to have memory guards,
be valgrind compatible, and also be sparing with secure memory.
* When importing keys, prompt to initialize new PKCS#11 tokens.
* Fix export of RSA keys to be more interoperable.
* Make the gp11 library multi-thread safe.
* Rework initialization of daemon, and the way that it
integrates with the new session manager.
* Close open file descriptors before starting daemon from PAM.
* Don't leave keyring daemon running if PAM just started it
for a password change.
* Register environment variables with session properly.
* Remove usage of deprecated glib/gtk stuff.
* Hundreds of other smaller changes and fixes.
* Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
Apache httpd process. Discovered by Steve Grubb at Red Hat.
* Removed an invalid "Internal error: Issuing "%s" for unspecified error."
message that was logged when denying with nolog/noauditlog set and
causing the request to be audited.
* Fixed parsing multipart content with a missing part header name which
would crash Apache. Discovered by "Internet Security Auditors"
(isecauditors.com).
* Added ability to specify the config script directly using --with-apr
and --with-apu.
* Updated copyright year to 2009.
* Added macro expansion for append/prepend action.
* Fixed race condition in concurrent updates of persistent counters. Updates
are now atomic.
* Cleaned up build, adding an option for verbose configure output and making
the mlogc build more portable.
config file or command line and will pass any function call by openssl to a
PKCS#11 module.
Engine_pkcs11 is meant to be used with smart cards and software for using
smart cards in PKCS#11 format, such as OpenSC. Originaly this engine was a
part of OpenSC, until OpenSC was split into several small projects for
improved flexibility.
on some platforms that lacked shared library support in the past. The
list hasn't been maintained at all and the gain is very limited, so just
get rid of it.
Alliance standards: ID-FF, ID-WSF and SAML. It defines processes for
federated identities, single sign-on and related protocols. Lasso is
built on top of libxml2, XMLSec and OpenSSL and is GPL licensed.
This package provides python bindings for Lasso.
Alliance standards: ID-FF, ID-WSF and SAML. It defines processes for
federated identities, single sign-on and related protocols. Lasso is
built on top of libxml2, XMLSec and OpenSSL and is GPL licensed.
* hide_empty_slots now on by default.
* pinpad supported fixed for Mac OS X.
* ruToken driver was updated.
* openct virtual readers reduced to 2 by default.
* link with iconv on Mac OS X for i18n support.
* Security issue: Fix private data support. [CVE-2009-0368]
* Enable lock_login by default.
* Disable allow_soft_keygen by default.
Its main focus is on cards that support cryptographic operations, and
facilitate their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11 API
so applications supporting this API such as Mozilla Firefox and Thunderbird
can use it. OpenSC implements the PKCS#15 standard and aims to be compatible
with every software that does so, too.
format for PC/SC-Lite, as CT-API driver, or as a small and lean middleware,
so applications can use it with minimal overhead. OpenCT also has a primitive
mechanism to export smart card readers to remote machines via TCP/IP.
Update dependency to security/p5-Net-SSLeay to 1.33 as notes in modules
META.yml
Upstream Changes:
v1.23 2009.02.23
- if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the
default values have no existing file|path) disable checking of
certificates, but carp about the problem
- new test certificates, the old ones expired and caused tests to fail
0.12
Made Cyrus.xs more compatible with Perl API by changing function calls
like Perl_warn() to just warn(), and defining PERL_NO_GET_CONTEXT.
Made SASL properties which take an IP address and load it into the SASL
library more robust by determining if the passed address is in
"struct sockaddr" format or in "IP1.IP2.IP3.IP4;PORT" format.
Fixed passing of "function + params" as a callback.
0.11
Fixed t/callback.t to NOT try connecting to the LDAP server
on localhost since that, well, doesn't work at Pause.
0.10
Added better callback management, Perl memory management,
and three test scripts, as written by Ulrich Pfeifer.
0.09
Changed securesocket GLOB, as suggested by Marius Tomaschewski.
Extended SASL2 support.
0.08
Changed the "code" routine to return the result code of the
last SASL library call. This allows differentiation of the
result of the client_step returning a zero byte string vs.
it saying authentication is complete.
Pkgsrc changes:
o Adjust dependencies according to module requirements (added p5-Crypt-IDEA)
Upstream changes:
1.34 2009.02.01
- Rekey properly after 1 GB of data (rt.cpan.org #25044). Patch by
Peter Oliver.
- Don't try to process nonexistent or empty auth file (rt.cpan.org #41877).
- Fix typo in croak message (rt.cpan.org #42056), thanks to
jamie at audible.transient.net.
- Move 'use base' call after Crypt module loading, per suggestion
(rt.cpan.org #42051).
- Only apply stdin if defined in SSH1 - John Payne (rt.cpan.org #42583)
v1.22 2009.01.24
- Net::SSLeay stores verify callbacks inside hash and never clears them, so
set verify callback to NULL in destroy of context
v1.21 2009.01.22
- auto verification of name in certificate created circular reference between
SSL and CTX object with the verify_callback, which caused the objects to be
destroyed only at program end. Fix it be no longer access $self from inside
the callback.
Thanks to odenbach[AT]uni-paderborn[DOT]de for reporting
v1.20 2009.01.15
- only changes on test suite to make it ready for win32
(tested with strawberry perl 5.8.8)
* Version 2.6.4 (released 2009-02-06)
** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate. GnuTLS will now stop looking when it has
found an intermediary trusted certificate. The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly. Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.
** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.
** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash. Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.
** libgnutls: Fix compile error with Sun CC.
Reported by Jeff Cai <jeff.cai@sun.com> in
<https://savannah.gnu.org/support/?106549>.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
* pkgsrc change: relax restriction to kerberos package.
What's new in Sudo 1.7.0?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files.
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is "files", even
when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment on AIX and Linux. If sudo is run
with the -i flag, the contents of /etc/environment are used to
populate the new environment that is passed to the command being
run.
* If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
* A new Defaults option, "env_file" that refers to a file containing
environment variables to be set in the command being run.
* A new flag, -n, may be used to indicate that sudo should not
prompt the user for a password and, instead, exit with an error
if authentication is required.
* If sudo needs to prompt for a password and it is unable to disable
echo (and no askpass program is defined), it will refuse to run
unless the "visiblepw" Defaults option has been specified.
* Prior to version 1.7.0, hitting enter/return at the Password: prompt
would exit sudo. In sudo 1.7.0 and beyond, this is treated as
an empty password. To exit sudo, the user must press ^C or ^D
at the prompt.
* visudo will now check the sudoers file owner and mode in -c (check)
mode when the -s (strict) flag is specified.
* Publish GCRY_MODULE_ID_USER and GCRY_MODULE_ID_USER_LAST constants.
This functionality has been in Libgcrypt since 1.3.0.
* MD5 may now be used in non-enforced fips mode.
* Fixed HMAC for SHA-384 and SHA-512 with keys longer than 64 bytes.
* In fips mode, RSA keys are now generated using the X9.31 algorithm
and DSA keys using the FIPS 186-2 algorithm.
* The transient-key flag is now also supported for DSA key
generation. DSA domain parameters may be given as well.
- Bugfix release, forward and backward compatible with 2.0.0
- Ability to build as a Mac framework (and build this way by default)
- On non-Mac Unix, the pkgconfig file is always qca2.pc, even in debug
mode
- Certificates containing wildcards are now matched properly
- DirWatch/FileWatch now work
- Keystore writes now work
- Don't delete objects in their event handler (prevents Qt 4.4 warnings)
- Fix potential hang with TLS in server mode
- Windows version can be configured/installed using paths with spaces
Upstream changes:
Authen-SASL 2.12 -- Mon Jun 30 21:35:21 CDT 2008
Enhancements
* GSSAPI implement protocol according to RFC, but by default,
remain compatible with cyrus sasl lib
* DIGEST-MD5 implement channel encryption layer
Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
(CVE-2008-5077).
*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
double-checked locking was incomplete for RSA blinding,
addressing just one layer of what turns out to have been
doubly unsafe triple-checked locking.
So now fix this for real by retiring the MONT_HELPER macro
in crypto/rsa/rsa_eay.c.
*) Various precautionary measures:
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
(NB: This would require knowledge of the secret session ticket key
to exploit, in which case you'd be SOL either way.)
- Change bn_nist.c so that it will properly handle input BIGNUMs
outside the expected range.
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
builds.
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
keystores. Support for SSL/TLS client authentication too.
Not compiled unless enable-capieng specified to Configure.
This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
attribute creation routines such as certifcate requests and PKCS#12
files.
network security scanner with associated tools like a graphical
user front-end. The core component is a server with a set of network
vulnerability tests (NVTs) to detect security problems in remote
systems and applications.
amavisd-new-2.6.2 release notes
MAIN NEW FEATURES SUMMARY
- bounce killer: improved detection of nonstandard bounces;
- bounces to be killed no longer waste SpamAssassin time;
- tool to convert dkim-filter keysfile into amavisd configuration;
- compatibility with SpamAssassin 3.3 (CVS head) regained;
- rewritten and expanded documentation section on DKIM signing and
verification in amavisd-new-docs.html;
COMPATIBILITY WITH 2.6.1
- apart from small differences in logging and notifications, the
version 2.6.2 is compatible with 2.6.1, with its configuration file
and its environment;
- virus scanner entries were updated (as described below, most notably by
adding a regexp flag m), so be sure to update existing configuration file;
updated virus scanner entries can be used with 2.6.1 too;
- the %sql_clause default has changed in detail (see below), if its value
is overridden in a configuration file the setting may need updating;
See full release notes:
http://www.ijs.si/software/amavisd/release-notes.txt
Correct settings for file ownership (*OWN, *GRP in patch-aa and patch-ao).
Added missing installation directories in patch-aa.
Sorted PLIST to placate pkglint.
Adapted filename in patch-an to the way mkpatches generates nowadays.
Fixes PR#39223.
THIS IS A FUCKING HACK (nichts für die Goldwaage..)
Don't read the man-pages/*.pm's (they are dummy), check t/*
and fix OpenSSL.xs
Don't forget to try -
print OpenSSL::CRL::new_from_file("crl.pem")->info
- it's the only CRL stuff that's supported :)
OpenSSL::HMAC is dummy.
OpenSSL::BN is untested.
* gnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
* gnutls: Fix memory leak in PSK authentication.
* certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
It needs to be invoked before libgcrypt is initialized.
* gnutls-cli: Return non-zero exit code on error conditions.
* gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
Should fix PR#40189.
Upstream changes:
2008-11-14 Gisle Aas <gisle@ActiveState.com>
Release 2.38
The 2.37 tarball was infected by various '._*' files.
Thank you, Mac OS X!
Applied warning fix from Geoff Richards [RT#19643]
Applied compatiblity fix from Alexandr Ciornii [RT#30348]
2008-11-12 Gisle Aas <gisle@ActiveState.com>
Release 2.37
Sync up with consting changes from the perl core.
Fixes PR#40188, though the dependency bump is not done
(is not reflected in the module's META.yml).
Upstream changes:
v1.18 2008.11.17
- fixed typo in argument: wildcars_in_cn -> wildcards_in_cn
http://rt.cpan.org/Ticket/Display.html?id=40997
thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting
due to GCC 4), though those aren't mentioned in the upstream change log.
Other changes:
2007-06-09 gettextize <bug-gnu-gettext@gnu.org>
* m4/gettext.m4: New file, from gettext-0.16.1.
* m4/iconv.m4: New file, from gettext-0.16.1.
* m4/lib-ld.m4: New file, from gettext-0.16.1.
* m4/lib-link.m4: New file, from gettext-0.16.1.
* m4/lib-prefix.m4: New file, from gettext-0.16.1.
* m4/nls.m4: New file, from gettext-0.16.1.
* m4/po.m4: New file, from gettext-0.16.1.
* m4/progtest.m4: New file, from gettext-0.16.1.
2003-03-08 17:38 nmav
* Makefile.am:
Honor DESTDIR variable. Patch by Andrew W. Nosenko <awn@bcs.zp.ua>
2003-03-08 17:29 nmav
* src/mcrypt.c, NEWS:
Made the algorithm and mode command line input case insensitive.
2003-03-08 17:08 nmav
* doc/mcrypt.1:
some corrections in the manpage by Michael Mason
<mgm@eskimoman.net>
avoid that warning, the ints are first cast to size_t, which is more
likely to match the size of a pointer. Unfortunately, the intptr_t and
uintptr_t types are marked optional in C99.
* skeyprune is perl script, need runtime dependency on perl5.
* Fixes mis-use of config.h (patch-a[d-i]), avoid to use a mixture of
local hash function with system RMD header.
Fixes build failure reported by PR 39872 and PR 39953.
Bump PKGREVISION.
lib/krb5/os/dnsglue.c uses statbuf structure before zeroing it.
Solaris requires it be zeroed first... all kerberos programs that
use dns lookup crash. Zeroing before use does not break anything
on any other platforms.
Bump PKGREVISION.
- Add libtasn1-config for compatibility.
Please stop use it as it will disappear in v2.0!
Use standard AC_CHECK_FUNCS autoconf tests or pkg-config instead.
- Read PKCS-12 blob as binary file, fixes self-tests under Mingw.
- Fix use of __attribute__ ((deprecated)) to work on non-GCC.
Changes 1.6:
- Fixed namespace violation for MAX_NAME_SIZE and MAX_ERROR_DESCRIPTION_SIZE.
The new names are ASN1_MAX_NAME_SIZE and ASN1_MAX_ERROR_DESCRIPTION_SIZE.
- Fixed namespace violation for libtasn1_perror and libtasn1_strerror.
The new names are asn1_perror and asn1_strerror.
- Fix namespace violation for LIBASN1_VERSION.
The new name is ASN1_VERSION.
- Decoder can now decode BER encoded octet strings.
- doc: Change license on the manual to GFDLv1.3+.
- doc: Sync gdoc script with GnuTLS, changes license on man-pages to GAP.
- doc: Improve gtk-doc manual.
- Assumes system has strdup and string.h.
- Remove libtasn1-config and libtasn1.m4,
use standard AC_CHECK_FUNCS autoconf tests or pkg-config instead.
- Change detection of when to use a linker version script,
use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
Fix a problem with PK's strndup() implementation assuming all strings
passed to it would be NUL-terminated. This is known to fix crashes with
polkit-gnome-authorization and clock-applet.
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
This package provides a D-Bus session bus service for bringing up
authentication dialogs used for obtaining privileges.
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
against recent openpam headers produce non functioning pam_ldap.so
on NetBSD 4.99.47(?) or more recent systems.
There's something really fishy in the headers...
Pkgsrc changes:
o Adapt patch-aa, still needed for non-hanging tests...
Upstream changes:
1.33 2008.10.21
- Fix open() calls (rt.cpan.org #40020)
- Fix non-shell problem (rt.cpan.org #39980)
- Allow full agent forwarding (rt.cpan.org #32190)
- Handle hashed known_hosts files (Greg Sabino Mullane, rt.cpan.org #25175)
1.32 2008.10.16
- Add IO::Handle to Perl.pm (rt.cpan.org #40057, #35985)
- Minor test cleanups.
1.31 2008.10.02
- New co-maintainer, Greg Sabino Mullane (TURNSTEP).
- Prevent t/03-packet.t from hanging due to high file descriptor.
(altblue at n0i.net, rt.cpan.org #6101)
- Skip some tests if Math::GMP not installed (e.g. from choosing only
protocol 2 in Makefile.PL) (Greg Sabino Mullane, reported in
rt.cpan.org #25152)
- If ENV{HOME} is not set, use getpwuid. If both fail and the dir
is needed, we croak. (Greg Sabino Mullane, expanded from patch
by dgehl at inverse.ca in rt.cpan.org #25174)
- Fix incorrect logical/bitwise AND mixup (Peter.Haydon at uk.fujitsu.com,
rt.cpan.org #31490)
- Allow empty stdin for SSH2 (rcp at rcable.co.uk, rt.cpan.org #32730)
- Adjust terminal dimensions dynamically if Term::ReadKey is available
(john at sackheads.org, rt.cpan.org #34874)
Authen::PluggableCaptcha is a fully modularized and extensible
system for making Pluggable Catpcha (Completely Automated Public
Turing Test to Tell Computers and Humans Apart) tests.
Pluggable? All Captcha objects are instantiated and interfaced via
the main module, and then manipulated to require various submodules
as plug-ins.
Authen::PluggableCaptcha borrows from the functionality in
Apache::Session::Flex.
* Version 2.6.2 (released 2008-11-12)
** libgnutls: Fix crash in X.509 validation code for self-signed certificates.
The patch to fix the security problem GNUTLS-SA-2008-3 introduced a
problem for certificate chains that contained just one self-signed
certificate. Reported by Michael Meskes <meskes@debian.org> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279>.
** API and ABI modifications:
No changes since last version.
Changes since 0.0.14:
* epa-mail-encrypt now skips unusable keys.
* epa-file now uses canonical file names as keys for passphrase cache.
* Fixed a load-error of epa on XEmacs.
* epa-file bug fixes.
* Prepare auto-mode-alist to strip .gpg suffix when choosing major-modes.
* Don't signal an error when opening a nonexistent file via Tramp.
* epa-verify-region now decodes the plaintext with
coding-system-for-read or one saved as epa-coding-system-used.
* Version 2.6.1 (released 2008-11-10)
** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name. Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>. [CVE-2008-4989]
Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>
** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.
** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically. Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.
** libgnutls-openssl: Fix patch against X509_get_issuer_name.
It incorrectly returned the subject DN instead of issuer DN in v2.6.0.
Thanks to Thomas Viehmann <tv@beamnet.de> for report.
** certtool: Print a PKCS #8 key even if it is not encrypted.
** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).
** API and ABI modifications:
No changes since last version.
for all autoconf definitions that pollute namespace. Additionally,
I've prepared a distribution patch from FreeBSD ports which
fixes many memory leaks (see comment in patch).
PKGREVISION++
Eksblowfish is a variant of the Blowfish cipher, modified to make
the key setup very expensive. ("Eks" stands for "expensive key
schedule".) This doesn't make it significantly cryptographically
stronger, but is intended to hinder brute-force attacks. It also
makes it unsuitable for any application requiring key agility. It
was designed by Niels Provos and David Mazieres for password hashing
in OpenBSD. See Crypt::Eksblowfish::Bcrypt for the hash algorithm.
See Crypt::Eksblowfish::Blowfish for the unmodified Blowfish cipher.
Eksblowfish is a parameterised (family-keyed) cipher. It takes a
cost parameter that controls how expensive the key scheduling is.
It also takes a family key, known as the "salt". Cost and salt
parameters together define a cipher family. Within each family, a
key determines an encryption function in the usual way. See
Crypt::Eksblowfish::Family for a way to encapsulate an Eksblowfish
cipher family.
* gsasl: Don't use poll with POLLOUT to avoid busy-waiting.
* doc: Error codes are now extracted using official library APIs.
* doc: Included cyclomatic code complexity charts of the library code.
* tests: Add self test of obsolete base64 functions.
* Update gnulib files. Improves Windows compatibility.
Some highlights:
Bug #1680965 sans lookup fails -- Jordan Wiens
Fixed index.php redirect -- Kevin Johnson for Terry Burton
Added Worldmap feature -- Juergen Leising
Added Vendor MAC Map -- Juergen Leising
Increased memory limit from 50 to 128 MB in base_graph_common.php
Fixed "Select Signature from List" in the query form -- Juergen Leising
Newly generated coordinates file world_map6.txt. -- Juergen Leising
See docs/CHANGELOG for all the details
for IDN and inet6 support.
v.17 2008.10.13
- no code changes, publish v.16_3 as v.17 because it looks better
than v.16
- document win32 behavior regarding non-blocking and timeouts
v.16_3 2008.09.25
- fix t/nonblock.t with workaround for problems with
IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do
nonblocking connect and leaves socket blocked.
- make some tests less verbose by fixing diag in t/testlib.t
(send output to STDOUT not STDERR and prefix with '#')
v.16_2 2008.09.24
- work around Bug in IO::Socket::INET6 on BSD systems
http://rt.cpan.org/Ticket/Display.html?id=39550
by setting Domain based on PeerAddr
Thanks to srezic for report and support
- remove tests of recv/send from t/core.t. Might badly interact
with SSL handshake and cause crashes as seen on OS X 10.4
v.16_1 2008.09.19
- better support for IPv6:
- IPv6 is enabled by default if IO::Socket::INET6 is available
- t/inet6.t for basic tests
--
pakchois is just another PKCS#11 wrapper library. pakchois aims to
provide a thin wrapper over the PKCS#11 interface.
The goals are:
1) to offer a modern* object-oriented C interface wrapper for PKCS#11.
2) to not hide or abstract away any details of the PKCS#11 interface
itself except where absolutely necessary.
3) to handle the details of loading DSOs
4) to allow the caller to avoid caring about where on the system
PKCS#11 modules might be stored, or exactly how they are named.
5) to avoid any dependency on a particular cryptography toolkit.
Existing PKCS#11 wrapper libraries solutions differ in at least one of
the above goals.
*: "modern" being a euphemism for not using process-global state,
having a sane symbol namespace, etc.
patch-ag and patch-ah fix void functions that attempt to return the result
of calling a void function.
patch-ai conditionally includes <sys/inttypes.h> to pick up uint32_t
is incorrect because:
1) _gcry_rngfips_deinit_external_test() is void function
2) the calling function, random, is declared void
The unpatched code will not compile with Sun compiler.
Seahorse is a GNOME front-end for GnuGP. It can be used for signing,
encrypting, verifying and decrypting text and files. The text can be
taken from the clipboard, or written directly in the little editor it
has. Seahorse is also a keymanager, which can be used to edit almost
all the properties of the keys stored in your keyrings.
This package contains various plugins for Seahorse.
tools moved to the new seahorse-plugins package.
seahorse 2.24.1
---------------
* Fix problems with seahorse crashing when searching for
remote keys. [Adam Schreiber]
* Build fixes on Solaris [Jeff Cai]
* Fix selection of keys in libcryptui. [Philip Withnall]
* I18n fixes. [Adam Schreiber]
seahorse 2.24.0
---------------
* Some tweaks to the password prompt window, including allowing
minimizing to release the keyboard grab.
* Fix compiler warnings for gcc 4.3.
* Return a 'cancelled' error when from the daemon crypto dbus
methods when a user cancels out of a password prompt.
* Show revoked subkeys properly in details view of PGP keys.
* Fix problem deleting SSH keys.
* Fix dialog prompt column widths, and elipsize long text in
key listing. [Adam Schreiber]
* Fix problem with 'no keys available' when trying to sign a
PGP key from within the key manager.
* Add 'exportable' flag to objects/keys and don't enable export
UI if selected objects are not exportable.
* Build fixes [Joe Orton, Adam Schreiber]
* Crash and other fixes. [Christian Persch]
seahorse 2.23.92
----------------
* Fix crash when changing a stored Gnome Keyring password.
* Fix certain crashes on syncing, searching and other operations.
* Fix dumb 'Couldn't import keys' error message when success.
seahorse 2.23.91
----------------
* Fix copying keys to the clipboard. [Adam Schreiber]
* Fix double free crash when importing keys.
* Fix crasher when deleting a key.
* Don't add extra null bytes to SSH authorized_keys and
similar files. [Adam Schreiber]
* Documentation fixes. [Adam Schreiber]
* Don't repeatedly load gnome-keyring items. [Adam Schreiber]
* Make help button in 'First Time Options' work proprely. [Adam Schreiber]
* Better wording for options in PGP key dialogs. [Adam Schreiber]
seahorse 2.23.90
----------------
* Icon makeover. [Michael Monreal]
seahorse 2.23.6
---------------
* Initial PKCS#11 certificate listing implementation.
* Internal code refactoring.
* Fix problems with reference counting on operations.
* Use base64 functions in glib, rather than rolling our own.
* Don't use deprecated LDAP functions. [Adam Schreiber]
* String operation fixes. [Adam Schreiber]
* Build fixes [Jeff Cai]
seahorse 2.23.5
---------------
* Fix importing keys from key servers [Mackenzie Morgan]
* Factor out seahorse-plugins to a different module.
* Add XDS drag and drop support.
* Remove gnome-vfs dependency and use gio instead.
* Return key id of signer from DBus service even when key
is not found locally [Adam Schreiber]
* Refactor UI code internally into modules.
* Remove hard GPG and GPGME dependency.
* Replace signer drop down in key chooser with just a check
button when only one secret key exists. [Adam Schreiber]
* Set sync button insensitive when no server is selected.
[Adam Schreiber]
* Test for secure memory before using it. [Coleman Kane]
* Change trust model used to match GPG's. [Adam Schreiber]
* Remove libgnome and libgnomeui dependencies. [Saleem Abdulrasool]
* Grab keyboard focus when prompting for password.
[Josselin Mouette]
* Use the vala programming language for some code.
* Add initial infrastructure for PKCS#11 key/certificate support.
* Save and load window sizes from gconf. [Adam Schreiber]
* Build fixes [Brian Cameron, Saleem Abdulrasool, Alexis Ballier,
Christian Persch, Rodrigo Moya]
ASN1-encoded files (DER, BER, PER, etc.) in Python. ASN1 is the Abstract
Syntax Notation version 1, as defined by the International Telecommunication
Union (ITU).
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
- Fix log file permission error, that could happen thought the user
Prelude-LML was running as could access the file (#291).
- ModSecurity ruleset update, by Dan Kopecek <dkopecek@redhat.com>:
provides much more descriptive classification.text, add regexps for
[file ..], [line ...], [tag ...] fields and fine tune targets/types
(#321).
- Deprecate Gamin/FAM support in favor of libev: the previous
implementation had problem on SELinux enabled system due to Gamin server
startup being triggered by other program, and thus using improper role
for Prelude-LML.
(#326).
- Improved polling architecture by using Operating System specific
backend when possible.
- We now monitor files that are not immediately available for reading on
startup: once the file can be monitored, libev provide us with a
notification.
- Fix an assertion warning upon sensor start in case the address
for the local machine could not be found.
- Consistency rework of EasyBindings IDMEFCriteria API.
- Add refcount support for prelude_client_t and
prelude_client_profile_t, and update EasyBindings destructor to use
them.
- Fix a bug where EasyBindings would be built although they were not
enabled.
- Fix path issue in case libprelude was configured with specific path
outside of $prefix (fix#319).
* libgnutls: Correct printing and parsing of IPv6 addresses.
* libgnutls-openssl: fix out of bounds access.
* certtool: Use inet_pton for parsing IPv6 addresses.
* Added API to replace and update the crypto backend.
* certtool: can add several subject alternative names via template file.
* opencdk: Parse (but not decrypt) encrypted secret keys.
* more...
* libwrap related fixes, better debugging messages, MS Visual C++ support
Changes 4.25:
* delay libwrap process spawning after dropping privs, other improvements
* Try to auto-initialize Libgcrypt to minimize the effect of
applications not doing that correctly. This is not a perfect
solution but given that many applicationion would totally fail
without such a hack, we try to help at least with the most common
cases. Folks, please read the manual to learn how to properly
initialize Libgcrypt!
* Auto-initialize the secure memory to 32k instead of aborting the
process.
* Log fatal errors via syslog.
* Changed the name and the semantics of the fips mode config file.
* Add convenience macro gcry_fips_mode_active.
* More self-tests.
* Documentation cleanups.
* Fixed a build problem under Windows.
Changes 1.5:
* Minor build system fixes.
* Updated gettext. Removed included gettext copy.
* gpg-error has a new option --version.
Need to BUILDLINK_ABI_DEPENDS on the 2.2.11 versions of the libraries.
Bump PKGREVISION wholesale to disambiguate the fixed packages from the botched
ones and depend on them.
Use GPLed version of the plugins instead of the non-free version.
While here fix permissions of PKG_SYSCONFDIR in nessus-core/Makefile.
Use ./configure as one is now supplied
libmxl2 is no longer optional but curl is
Rename doc/eg dirs from ap-security to ap-modsecurity
* Allow for disabling request body limit checks in phase:1
* Now log XML parsing/validation warnings and errors to be in the debug log
at levels 3 and 4, respectivly.
* Transformation caching has been deprecated, and is now off by default. We
now advise against using transformation caching in production.
* Improve request body processing error messages.
Any many more . . . see CHANGES for all the details
Don't call pkg_info to get the installed Emacs version; always use the
version matching EMACS_TYPE set by users. Be DEPENDS to it. This should
address pkg/37146 by Aleksey Cheusov.
While here convert some emacs lisp packages to user-destdir.
v1.16
- change code for SSL_check_crl to use X509_STORE_set_flags instead of
X509_STORE_CTX_set_flags based on bug report from
<tjtoocool[AT]phreaker[DOT]net >
- change opened() to report -1 if the IO::Handle is open, but the
SSL connection failed, needed with HTTP::Daemon::SSL which will send
an error mssage over the unencrypted socket
only suggest pthread option when native pthread exists.
We cannot use pthread.buildlink3.mk to just detect if suituable pthread
implementation exist or not.
Avoid unwanted dependency on pthread package when no native pthread and
pthread option off.
* Move inclusion of seculity/tcp_wappers/buildlink3.mk to rightful place in
options.mk.
Avoid unwanted dependency on tcp_wrappers when libwrap option off.
* Remove deprecated(?) --with-tcp-wrappers from CONFIGURE_ARGS.
* Remove --enable-libwrap from CONFIGURE_ARGS even if require tcp_wrappers.
It affect not only check of existence of tcp_wappers but also blow off
needful addition of -lwrap to LIBS.
Fixes PR 39635
* In dsniff-nox11/Makefile, add a post-configure target to move
missing/sys/queue.h out of the way if the configure script
found a real sys/queue.h.
* Add patches to #include <string.h> in some files where I noticed warnings.
Bump PKGREVISION for both dsniff and dsniff-nox11.
finally. While here, fix PLIST and depkglint a bit. Also, fix the horrid
abuse of libtool.
Changes since 0.60.2:
* courier-authlib.spec: Dummy provides: for symlinks, to allow upgrade
with older packages that require <libname>.so.0.
* Makefile.am: Switch to versionless shared libraries.
Install all shared libraries just as <libname>.so. make install manually
removes *.so.0.0 files that were left over from previous versions,
and installs a temporary *.so.0 symlink to *.so, for temporary
binary ABI compatibility with 0.60. The symlinks will be removed in
0.62.
* Cleanup: always compile md5, sha* and hmac stuff, and remove all
conditionally-compiled cruft. Move SASL list to an internal header.
Add client-side support for AUTH EXTERNAL.
* authsasl.c (auth_sasl_ex): auth_sasl_ex() supercedes auth_sasl(),
invokes auth_sasl() for non-EXTERNAL SASL methods, implements EXTERNAL
by going through the motions, then setting up a dummy authentication
request.
* authdaemon.c (auth_generic): Check for the dummy EXTERNAL
authentication request, and handle it by invoking auth_getuserinfo(),
rather than sending it down the pipe. This avoid having to implement
a stub in every authentication module.
* authmysqllib.c: Use mysql_set_character_set() instead of SET NAMES
* authmysqllib.c: Fix domain-less queries.
* Makefile: Drop the unmaintained authvchkpw module.
* authmysqllib.c: Cleanup. Use mysql_real_escape_string instead of
crude filtering.
* Makefile.am: Use _LIBADD properly.
* configure.in: More portability fixes.
Packages Collection.
The Perl 5 module Authen::CAS::Client provides a simple interface
for authenticating users using JA-SIG's CAS protocol. Both CAS v1.0
and v2.0 are supported.
Changes from OpenSSH 5.0 is huge to write here, please refer its
release note: http://www.openssh.com/txt/release-5.1.
I quote only Security section from the release note.
Security:
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
When attempting to bind(2) to a port that has previously been bound
with SO_REUSEADDR set, most operating systems check that either the
effective user-id matches the previous bind (common on BSD-derived
systems) or that the bind addresses do not overlap (Linux and
Solaris).
Some operating systems, such as HP/UX, do not perform these checks
and are vulnerable to an X11 man-in-the-middle attack when the
sshd_config(5) option X11UseLocalhost has been set to "no" - an
attacker may establish a more-specific bind, which will be used in
preference to sshd's wildcard listener.
Modern BSD operating systems, Linux, OS X and Solaris implement the
above checks and are not vulnerable to this attack, nor are systems
where the X11UseLocalhost has been left at the default value of
"yes".
Portable OpenSSH 5.1 avoids this problem for all operating systems
by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
This vulnerability was reported by sway2004009 AT hotmail.com.
Upstream changes:
1.07 - Fri Aug 15 16:53:36 2008
* Fixed the odd character problems in some of the files
* No need to upgrade if you already have this installed
1.06_03 - Sun Jun 22 11:32:46 2008
* Trying the __sgi definition. If this doesn't make things
blow up, this release will get bumped to 1.07.
1.06_02 - Thu Jun 19 11:55:21 2008
* Removed wide chars from the header file. Some compilers
like to complain about things that are wrong. :(
1.06_01 - Wed Jun 18 09:37:34 2008
This is a test of a fix for Irix.
1.06_01 - Wed Jun 4 19:18:57 2008
* This is a test of a fix for Irix.
* Rewrite to use poll instead of select.
* Improve Windows installation instructions in the manual.
* tests: New self test of gsasl_mechanism_name function.
This is not acceptable for us. Instead, we patch to use libtool.
The included test passes.
Changes since 1.0.3:
* Minor fixes.
* Build library for GNU/Linux as PIC [**but we use libtool**]
* New hook feature to enhance the internal I/O functions.
v1.15
- change internal behavior when SSL handshake failed (like when verify
callback returned an error) in the hope to fix spurios errors in
t/auto_verify_hostname.t
- Make this compile on amd64
- Don't silently look for libraries when we don't need them. This should fix
PR 39318
- Add missing depends on apr
Release 5.4
###########
* Fixes to the http modules as some Apache installations are picky
* The MySQL module also works with mysqld-5.0, updated
* Added AS/400 return code checks to pop3 module
* Fixed memory leaks in the http-form module.
* Implemented a proposal by Jean-Baptiste.BEAUFRETON (at) turbomeca.fr to
check for "530 user unknown" message in the ftp module
* Added a performance patch by alejandro.mendiondo (at) baicom.com. This one
needs stability testing!
* Beautification to remove compiler warnings of modern gcc
- preludedb-admin has a bew 'count' command, printing the result of a
COUNT() on the database.
- preludedb-admin work on smaller set of data, to prevent large
retrieval error (fix#220, refs #305).
- preludedb-admin handling of interrupted transaction was improved.
- Fix MySQL and SQLite MacOSX detection, by
Uwe Schwartz <usx303 at googlemail.com>. (fix#296).
ModSecurity ruleset rewrite, by Peter Vrabec <pvrabec@redhat.com> and
Dan Kopecek <dkopecek@redhat.com>. This ruleset handle ModSecurity 2.0
output. (Fix#216).
- New rulesets for FreeBSD su attempts, by Alexander Afonyashin <firm@iname.com>
(Fix#304).
- Add additional format to the default configuration to deal with apache
error_log file format, by Alexander Afonyashin <firm@iname.com> (Fix#307).
- Normalize some classification: introduce Remote Login, and
Credentials Change. Cleanup SSH ruleset, and remove duplicated rules.
- EasyBindings inclusion! EasyBindings provide simple C++, Python,
Perl, Ruby, and Lua bindings for using libprelude. They are still
considered experimental, thus you need to use (--enable-easy-bindings)
to activate them. Thanks to Sebastien Tricaud <toady@inl.fr> and
Pierre Chifflier <p.chifflier@inl.fr> for their contribution to this
project!
- Use automake/autoconf for building/installing Python extension.
- Fix 0.9.18 regression (alert created with empty CreateTime).
- Implement reference counting for the idmef-criteria and
prelude-connection API.
- Automatic casting when setting IDMEF Value to a field that is of
different type. Until now, if an user tried to set a path of a
specific type with an idmef_value_t object containing another type,
idmef_path_set() would return an error.
- Various bug fixes.
Based on PR 39222 by Jens Rehsack.
This module implements a wrapper around OpenSSL. Specifically, it wraps the
methods related to the US Government's Advanced Encryption Standard (the
Rijndael algorithm).
This module is compatible with Crypt::CBC (and likely other modules that
utilize a block cipher to make a stream cipher).
This module is an alternative to the implementation provided by Crypt::Rijndael
which implements AES itself. In contrast, this module is simply a wrapper
around the OpenSSL library.
The Crypt::Rijndael implementation seems to produce inaccurate results on
64-bit x86 machines. By using OpenSSL, this module aims to avoid architecture
specific problems, allowing the OpenSSL maintainers to overcome such issues.
This is the RIPE NCC DNSSEC Key Management tools, described at
https://www.ripe.net/projects/disi/dnssec_maint_tool/
This class implements an interface to a database of private keys used
during DNSSEC administration.
This package includes some diffs to the self-tests, so that they pass.
0.22 Mo Mai 29 21:15:17 CEST 2006
- Bugfixs
0.23 Mi Aug 2 15:48:19 UTC 2006
- Re-added support of MIT Kerberos 1.2.x
0.24 Wed, 21 Feb 2007 20:59:39 +0100
- Changed tests as an answer to FAIL 413320
0.25 So 3. Feb 20:18:16 UTC 2008
- Enhancement to use OpenSolaris/Solaris 10 native gss library
0.26 Fr 15. Feb 22:32:10 UTC 2008
- modified Makefile.PL to trigger no FAIL testreports
in case of missing prerequirements.
Pkgsrc changes:
o Change MAINTAINER to pkgsrc-users@ as per communication with maintainer
Upstream changes:
Authen-SASL 2.11 -- Mon Apr 21 10:23:19 CDT 2008
Enhancements
* implement securesocket() in the ::Perl set of plugins
Bug Fixes
* fix parsing challenges from GnuSASL
* update tests for DIGEST-MD5
* New test from Phil Pennock for testing final server response
Changes since the 0.6 branch:
0.7.1 - 23 July 2008
o Fixes a memory leak when invalid proposal received
o Some fixes in DPD
o do not set default gss id if xauth is used
o fixed hybrid enabled builds
o fixed compilation on FreeBSD8
o cleanup in network port value manipulation
o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_sp
i()
o Generates a log if cert validation has been disabled by configuration
o better handling for pfkey socket read errors
o Fixes in yacc / bison stuff
o new plog() macro (reduced CPU usage when logging is disabled)
o Try to works better with huge SPD/SAD
o Corrected modecfg option syntax
o Many other various fixes...
0.7 - 09 August 2007
o Xauth with pre-shared key PSK
o Xauth with certificates
o SHA2 support
o pkcs7 support
o system accounting (utmp)
o Darwin support
o configuration can be reloaded
o Support for UNIQUE generated policies
o Support for semi anonymous sainfos
o Support for ph1id to remoteid matching
o Plain RSA authentication
o Native LDAP support for Xauth and modecfg
o Group membership checks for Xauth and sainfo selection
o Camellia cipher support
o IKE Fragment force option
o Modecfg SplitNet attribute support
o Modecfg SplitDNS attribute support ( server side )
o Modecfg Default Domain attribute support
o Modecfg DNS/WINS server multiple attribute support
v1.14
- added support for verification of hostname from certificate
including subjectAltNames, support for IDN etc based on patch and
input from christopher[AT]odenbachs[DOT]de and
achim[AT]grolmsnet[DOT]de.
It is also possible to get more information from peer_certificate
based on this patch. See documentation for peer_certificate and
verify_hostname
- automatic verification of hostnames with SSL_verifycn_scheme and
SSL_verifycn_name
- global setting of default context options like SSL_verifycn_scheme,
SSL_verify_mode with set_ctx_defaults
- fix import of inet4,inet6 which got broken within 1.13_X.
Thanks to <at[AT]altlinux[DOT]ru> for bugreport and patch
- clarified and enhanced debugging supppport based on bugreport
http://rt.cpan.org/Ticket/Display.html?id=32960
- put information into README regarding the supported and recommanded
version of Net::SSLeay
1.35 25.07.208
- Fix test plan for autoload.t if Test::Exception isn't available.
- Skip rsa_generate_key.t if Test::Exception isn't available.
1.34 24.07.2008
- Fixed problem with X509_get_subjectAltNames, where some types of Alt
Name (eg DIRNAMEs) were not properly handled, resulting in seg faults.
Reported by Achim Grolms.
- Added support for ENGINE_load_builtin_engines and
ENGINE_register_all_complete in order to enable built-in OpenSSL
crypto engines for hardware acceleration etc.
- Added support for ENGINE_by_id and ENGINE_set_default, required
to enable Sun crypto acceleration
1.33_01 14.02.2008
- Fixed a compile problem with inc_paths /usr/kerberos/include
in inc/Module/Install/PRIVATE/Net/SSLeay.pm. Reported by "J. Nick
Koston via RT"
- Added optional support for SSL_set_hello_extension,
SSL_set_session_secret_cb to support various extension patches from
a patch to openssl-0.9.9-dev contributed by Jouni Malinen.
See wpa_supplicant/patches/openssl-0.9.9-session-ticket.patch in the
latest (git) version 0.6 and later of wpa_suplicant at
http://hostap.epitest.fi/. These additions are ifdefed to
SSL_F_SSL_SET_HELLO_EXTENSION which is added by the patch
Tested with openssl-SNAP-20070816.
- Added SSL_SESSION_set_master_key and SSL_get_keyblock_size.
- Added all SSL_OP_* options flags present in 0.9.9
- Fixed a bug in SSL_set_tmp_dh
- Doc improvements in README.Win32
- Fixed a problem with proxy connections: open_proxy_tcp_connection
was stopping after the first \n from teh proxy,
but instead should have looked for
$CRLF . $CRLF to find the beginning of the SSL content
- Fixed missing / on /usr/kerberos/include, reported by several people
- removed bacus.pt from host list in t/handle/external/10_destroy.t,
since it seems no longer to respond. Reported by tco2.
- changed t/handle/external/10_destroy.t so this list of URIs to be
tested can be configured with environment variable SSLEAY_URIS, a
colon separated list of host names. Suggested by tco2.
- changed t/handle/external/50_external.t and t/external/08_external.t
so this list of sites to be
tested can be configured with environment variable SSLEAY_SITES, a
colon separated list of host names. Suggested by tco2.
- Fixed doucumentation in README of how to use OPENSSL_PREFIX
environment variable to control the location of openssl. Reported by
"Quanah Gibson-Mount via RT".
- Don't use Module::Installs auto_install.
- Bind NID_ and GEN_ constants.
- Default to not running external tests.
sshfp is a small utility that generates RFC4255 SSHFP DNS records
based on the public keys stored in a known_hosts file or obtained by
using ssh-keyscan. If the nameserver of the domain allows zone
tranfers (AXFR), an entire domain can be processed for all its A
records. These can then be easilly added to a zone, and then secured
by DNSSEC.
Changes:
** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
** libgnutls: Fix memory leaks when doing a re-handshake.
** Fix compiler warnings.
** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
** srptool: Fix a problem where --verify check does not succeed.
Pkgsrc changes:
o Change to use CPAN as distribution source
o Change HOMEPAGE to use search.cpan.org; leave old
HOMEPAGE pointing to sourceforge commented-out
Upstream changes:
0.36 Mon Aug 13 12:16:38 EDT 2007
* [rt.cpan.org #28814] - Performance improvement
from mehradek (Radoslaw Zielinski)
-use English;
+use English qw( -no_match_vars );
0.35 Fri Apr 20 12:33:53 EDT 2007 - Jesse Vincent <jesse@bestpractical.com>
* New Maintainer: Jesse Vincent <jesse@bestpractical.com> took over
maintenance of this module.
* Removed test key expiry dates. (Fixes
http://rt.cpan.org/Ticket/Display.html?id=17618)
* Applied secret key output patch for modern GPG from
http://rt.cpan.org/Ticket/Display.html?id=17619
* Applied patch to support 'tru' record types from
(http://search.cpan.org/src/JRED/Mail-GPG-1.0.6/patches/)
0.07 Thu Jul 23 10:31:33 2008
- rt 34703
- argument logic before filehandle fetch so that they'll apply
- read small chunk of file handles instead if readline() to
avoid various issues
Pkgsrc changes:
o Added full list of dependencies, from Makefile.PL.
Upstream changes:
0.04 Sun Jun 15 16:22:32 JST 2008
* fixed a bug caused memory greediness with too long strings :<
* improved internal code for PAUSE.
0.03 Sat Jun 14 19:17:30 JST 2008
* added support for Math::Random::MT::Perl.
* switched to Module::Build.
* cleaned up test scripts.
* added 'binary' option to rndpassword.
Based on maintainer update request in PR 39196.
There are a lot of changes and some incompatabilities with 2.5.3
(current version in pkgsrc) particularly as respects SQL schema.
Consult vendor's releases notes for more detail:
http://www.ijs.si/software/amavisd/release-notes.txt
- no complete ChangeLog from upstream -
ChangeLog:
2000-03-13 Gisle Aas <gisle@ActiveState.com>
Release 2.01
Broken out of the Digest-MD5-2.12 distribution and made into
a separate dist.
events received by Prelude. Several isolated alerts, generated from
different probes, can thus trigger a single correlation alert should the
events be related. This correlation alert then appears within the
Prewikka interface and indicates the potential target information via
the set of correlation rules.
- Improve thread safety when evicting events to disk.
- Handle IDMEF message version tag, which will be used in upcoming
libprelude version.
- Add support for newer GnuTLS 2.2.0 session priority functions. When
the option is available, the user might specify TLS settings through
the "tls-options" configuration entry.
- Fix a possible crash upon destruction of a bufpool that is writing to
a failover.
- Correct strtoul() error checking, when verifying scheduler options.
- Add support for newer GnuTLS 2.2.0 session priority functions. When
the option is available, the user might specify TLS settings through
the "tls-options" configuration entry.
- Workaround a GnuTLS issue where the client wouldn't be able
to negotiate a supported compression protocol with the server (#299).
- Implement variable substitution in Prelude configuration files.
- Allow IDMEF criteria with multiples values for a single path,
as can be seen in the following example:
alert.classification.text = (A || B || C || D)
- Implement negation of idmef-criteria, allowing to write criteria like:
! (alert.classification.text = A || alert.classification.text = B)
- Fix an IDMEF-Criteria matching problem, where the match function would
not attempt to match a OR after multiple consecutive AND that failed.
Thanks Alexander Afonyashin <firm(at)iname.com> for pointing out the
problem.
- Never use non-pointer field, always use the "required" keyword. Fix
API consistency issue, that could lead to unexpected behavior.
- Fix multiples problem with prelude_read_multiline /
prelude_read_multiline2,
(fix a problem with prelude-manager idmef-criteria that wouldn't read
external ruleset).
- Error out if GnuTLS initialization fail.
Pkgsrc changes:
- none
Changes since version 1.58:
===========================
1.98 Jul 08, 2008
* Precedence bug in Public::write() and Private::write()
(http://rt.cpan.org/Public/Bug/Display.html?id=37489)
Thanks to HRAFNKELL for reporting this!
1.96 Jul 06, 2008
* Set the version numbers in modules to $Crypt::RSA::Version::VERSIOn
1.95 Jul 06, 2008
* Remove STDERR error output in Crypt::RSA::SS::PSS.
(http://rt.cpan.org/Public/Bug/Display.html?id=29048)
* Allow symmetric cipher specification in Crypt::RSA::Key.
(http://rt.cpan.org/Public/Bug/Display.html?id=27929)
* Fix bug in AUTOLOAD.
(http://rt.cpan.org/Public/Bug/Display.html?id=26028)
* Use Module::Install instead of ExtUtils::MakeMaker
* Consolidate versioning to module version in Crypt::RSA::Version
(which is the reason for the version # jump)
* "use base" instead of @ISA
* "use FindBin" instead of the literal "lib" - this is safer.
Pkgsrc changes:
- none
Changes since version 1.21:
===========================
1.24 (Tue Jul 15 14:35:35 EDT 2008)
- Remove references to Artistic License from README.
1.23 (Tue Jul 15 05:18:37 EDT 2008)
- Applied patch from ANDK@cpan.org to avoid failures in reforgy.t
[http://rt.cpan.org/Ticket/Display.html?id=27585]
- Turned off warnings in the test suite. It is supposed to generate
warnings but it freaks out people.
- License changed to Artistic 2.0 | GPL for Fedora folks.
Pkgsrc changes:
- none
Changes since version 2.24:
===========================
2.29 Tue Apr 22 10:22:37 EDT 2008
- Fixed errors that occurred when encrypting/decrypting utf8 strings
in Perl's more recent than 5.8.8.
2.28 Mon Mar 31 10:46:25 EDT 2008
- Fixed bug in onesandzeroes test that causes it to fail with
Rijndael module is not installed.
2.27 Fri Mar 28 10:13:32 EDT 2008
- When taint mode is turned on and user is using a tainted key,
explicitly check tainting of key in order to avoid "cryptic"
failure messages from some crypt modules.
2.26 Thu Mar 20 16:41:23 EDT 2008
- Fixed onezeropadding test, which was not reporting its test count
properly.
2.25 Fri Jan 11 15:26:27 EST 2008
- Fixed failure of oneandzeroes padding when plaintext size is
an even multiple of blocksize.
- Added new "rijndael_compat" padding method, which is compatible
with the oneandzeroes padding method used by Crypt::Rijndael in
CBC mode.
Pkgsrc changes:
- none
Changes since version 5.45:
===========================
5.47 Wed Apr 30 04:00:54 MST 2008
- modified Makefile.PL to install in core for Perls >= 5.10
-- thanks to Jerry Hedden for patch
- changed from #include <> to #include "" in SHA.xs
-- some platforms not able to find SHA source files
-- thanks to Alexandr Ciornii for testing
- moved .pm file to appropriate lib directory
- minor addition to META.yml
5.46 Wed Apr 9 05:04:00 MST 2008
- modified Addfile to recognize leading and trailing
whitespace in filenames (ref. rt.cpan.org #34690)
- minor C source code modification (ref. hmac.c)
- use const in sha.c for clean builds with -Wwrite-strings
-- thanks to Robin Barker for patch
(I didn't try whether it still works on 4.0. Would be nice if
someone did it.)
-supply an example pam.conf file
-slow down to avoid abuse, better cleanup in error cases, more paranoia
thanks to Joerg for suggestions
- fixed dependencies (required)
ChangeLog:
1.06 - Wed Apr 23 13:14:34 2008
* This release has a compiler-bug workaround for Sun C 5.9
identified by Andy Armstrong. No, really, it was a compiler
bug: http://in.opensolaris.org/jive/thread.jspa?threadID=53641&tstart=0
* You don't need to upgrade if you already have 1.05.
Changelog:
0.11 Wed Oct 31 20:26:13 2007
- fixed __reflect error
0.12 Sat Nov 3 10:11:42 2007
- Debug output removed
0.13 Sun Nov 4 11:22:54 2007
- fixed tests
0.14 Mon Nov 5 08:10:11 2007
- fixed __reflect error in non XS part
The Crypt::GPG module provides access to the functionality of the
GnuPG (www.gnupg.org) encryption tool through an object oriented
interface.
It provides methods for encryption, decryption, signing, signature
verification, key generation, key certification, export and import.
Key-server access is on the todo list.
Two crashes discovered using the Codenomicon TLS test suite, as reported
in CVE-2008-0891 and CVE-2008-1672, were fixed. The root CA certificates
of commercial CAs were removed from the distribution. Functions were added
to implement RFC3394 compatible AES key wrapping. Utility functions to
handle ASN1 structures were added. The certificate status request TLS
extension, as defined in RFC3546, was implemented. Several other bugfixes
and enhancements were made.
660) The -i flag should imply resetting the environment, as it did in
sudo version prior to 1.6.9. Also, the -i and -E flags are
mutually exclusive.
661) Fixed the configure test for dirfd() under Linux.
662) Fixed test for whether -lintl is required to link.
663) Changed how sudo handles the child process when sending mail.
This fixes a problem on Linux with the mail_always option.
664) Fixed a problem with line continuation characters inside of
quoted strings.
- telnetd username and environment sanitizing vulnerabilities ("-f root")
as described in MIT Kerberos advisory 2007-001.
- krb5_klog_syslog() problems with overly long log strings as described
in MIT Kerberos advisory 2007-002.
- GSS API kg_unseal_v1() double free vulnerability as described in the
MIT Kerberos advisory 2007-003.
- Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake
which could lead to a silent crash.
- Fix double free in TLS server name extensions which could lead to a remote
crash.
Patches from upstream.
changes:
-minor UI improvements
-bugfixes
-portability improvements, in particular for credential passing on
local sockets -- unfortunately a bit of the patch I submitted upstream
got lost
4.24: fix security problem (properly reject revoked certs)
4.23: WinNT bugfix
4.22:
- A new global option to control logging to syslog.
Simultaneous logging to a file and the syslog is now possible.
- A new service level option to control stack size.
- Restored chroot() to be executed after decoding numerical
userid and groupid values in drop_privileges().
- A few bugs fixed the in the new libwrap support code.
- TLSv1 method used by default in FIPS mode instead of
SSLv3 client and SSLv23 server methods.
4.21:
- Initial FIPS 140-2 support (see INSTALL.FIPS for details).
- Experimental fast support for non-MT-safe libwrap is provided
with pre-spawned processes.
- Stunnel binary moved from /usr/local/sbin to /usr/local/bin
in order to meet FHS and LSB requirements.
- Added code to disallow compiling stunnel with pthreads when
OpenSSL is compiled without threads support.
- Minor manual update.
- TODO file updated.
- Dynamic locking callbacks added (needed by some engines to work).
- AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments.
- On some systems libwrap requires yp_get_default_domain from libnsl,
additional checking for libnsl was added to the ./configure script.
- Sending a list of trusted CAs for the client to choose the right
certificate restored.
- Some compatibility issues with NTLM authentication fixed.
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
* Version 2.2.5 (released 2008-05-19)
Fix flaw in fix for GNUTLS-SA-2008-1-3.
* Version 2.2.4 (released 2008-05-19)
Fix three security vulnerabilities. [GNUTLS-SA-2008-1]
[GNUTLS-SA-2008-1-1]
libgnutls: Fix crash when sending invalid server name.
[GNUTLS-SA-2008-1-2]
libgnutls: Fix crash when sending repeated client hellos.
[GNUTLS-SA-2008-1-3]
libgnutls: Fix crash in cipher padding decoding for invalid record lengths.
* Version 2.2.3 (released 2008-05-06)
Increase default handshake packet size limit to 48kb.
Fix compilation error related to __FUNCTION__ on some systems.
Documented the --priority option to gnutls-cli and gnutls-serv.
Fix fopen file descriptor leak in PSK server code.
Build Guile code with -fgnu89-inline only when supported.
Make Camellia encryption work.
Based on patch provided by Eric Schnoebelen in PR 38692.
While here, marked as DESTDIR support.
Also fix CONFIGURE option for GSSAPI implement (I don't know from when).
* Version 0.2.26 (released 2008-05-05)
** Translations files not stored directly in git to avoid merge conflicts.
This allows us to avoid use of --no-location which makes the
translation teams happier.
** Build fixes for the documentation.
** Update gnulib files.
* Version 0.2.25 (released 2008-03-10)
** gsasl: Fix buffering issue to avoid mixing stdout/stderr outputs.
This would manifest itself when redirecting output to a pipe, such as
when used with Gnus. Reported by Enrico Scholz
<enrico.scholz@informatik.tu-chemnitz.de>, see
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/123>.
** Fix non-portable use of brace expansion in makefiles.
* Version 0.2.24 (released 2008-01-15)
** Link self-tests with gnulib, to fix link failures under MinGW.
* Version 0.2.23 (released 2008-01-15)
** Improve CRAM-MD5 self-test to detect if challenges are the same.
** Improve gsasl --help and --version to conform with GNU standards.
** Use gettext 0.17.
** Update gnulib files.
* Version 0.2.22 (released 2007-10-08)
** Development git tree moved to savannah.
See <https://savannah.gnu.org/projects/gsasl/>.
** Fix warnings when building the tool 'gsasl'.
** Update gnulib files.
